Example #1
0
        //Get interesting DACL if a target user has permission on it
        public static DACL GetMyInterestingACLOnObject(string targetDn, List <string> sidList)
        {
            logger.Debug($"Collecting Interesting ACLs on {targetDn}");

            var   interestingACEs = new Dictionary <string, List <string> >();
            Regex gpoRx           = new Regex(@"=(\{.+?\}),", RegexOptions.Compiled);


            var rules = GetAuthorizationRules(targetDn, out string ownerSID);

            if (rules == null)
            {
                return(null);
            }

            //Adapted from https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1#L3746
            Regex rights = new Regex(@"(GenericAll)|(.*Write.*)|(.*Create.*)|(.*Delete.*)", RegexOptions.Compiled);

            //Regex replica = new Regex(@"(.*Replication.*)", RegexOptions.Compiled);

            //string[] dcsync = { "DS-Replication-Get-Changes", "DS-Replication-Get-Changes-All", "DS-Replication-Get-Changes-In-Filtered-Set" };

            foreach (ActiveDirectoryAccessRule rule in rules)
            {
                var sid = rule.IdentityReference.ToString();

                if (sidList.Contains(sid) || sidList.Contains(ownerSID))
                {
                    string IR       = Helper.SIDNameSID(sid);
                    string objType  = rule.ObjectType.ToString();
                    string adRights = rule.ActiveDirectoryRights.ToString();

                    logger.Debug($"{targetDn}:{IR}: ADRights:  {adRights} ObjectType: {objType}");

                    //Ignore the following extended rights
                    //edacfd8f-ffb3-11d1-b41d-00a0c968f939 Apply-Group-Policy
                    //ab721a55-1e2f-11d0-9819-00aa0040529b Send-To
                    if ((rights.IsMatch(adRights) || adRights == "ExtendedRight") &&
                        rule.AccessControlType.ToString() == "Allow" &&
                        objType.ToLower() != "edacfd8f-ffb3-11d1-b41d-00a0c968f939" &&
                        objType.ToLower() != "ab721a55-1e2f-11d0-9819-00aa0040529b")
                    {
                        string userRights = null;

                        if ((adRights == "ExtendedRight") && rule.AccessControlType.ToString() == "Allow")
                        {
                            //The ObjectType GUID maps to an extended right registered in the current forest schema, then that specific extended right is granted
                            //Reference: https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf
                            userRights = Rights.ResolveRightsGuid(objType, true);
                        }
                        else
                        {
                            string schemaName = Rights.ResolveRightsGuid(objType, false);
                            userRights = schemaName + $" ({adRights})";
                        }

                        if (interestingACEs.ContainsKey(IR))
                        {
                            interestingACEs[IR].Add(userRights);
                        }
                        else
                        {
                            interestingACEs.Add(IR, new List <string> {
                                userRights
                            });
                        }
                    }
                }
            }
            //check owner
            string owner = Helper.SIDNameSID(ownerSID);

            if (interestingACEs.ContainsKey(owner))
            {
                interestingACEs[owner].Add("Owner");
            }

            string key;
            Match  matchGPO = gpoRx.Match(targetDn);

            if (matchGPO.Success)
            {
                string gpoID   = matchGPO.Groups[1].ToString().ToUpper();
                string gpoName = GPO.GroupPolicies[gpoID];
                key = gpoID + " " + gpoName;
            }
            else
            {
                key = targetDn;
            }
            if (interestingACEs == null || interestingACEs.Count == 0)
            {
                return(null);
            }
            return(new DACL {
                ObjectName = key, ACEs = interestingACEs
            });
        }
Example #2
0
        //Get DACL for certificate authories, certificate templates
        public static DACL GetCSACL(string target, ActiveDirectorySecurity sec, out bool hasControlRights, bool getTemplateACL = false)
        {
            hasControlRights = false;

            var rules = sec.GetAccessRules(true, true, typeof(SecurityIdentifier));

            if (rules == null)
            {
                return(null);
            }
            var ownerSID = sec.GetOwner(typeof(SecurityIdentifier)).ToString();
            var ACEs     = new Dictionary <string, List <string> >();

            foreach (ActiveDirectoryAccessRule rule in rules)
            {
                string objType  = rule.ObjectType.ToString();
                string sid      = rule.IdentityReference.ToString();
                string IR       = Helper.SIDNameSID(sid);
                string adRights = rule.ActiveDirectoryRights.ToString();

                if (rule.ActiveDirectoryRights.ToString().Contains("ExtendedRight"))
                {
                    //The ObjectType GUID maps to an extended right registered in the current forest schema, then that specific extended right is granted
                    //Reference: https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf

                    adRights = adRights.Replace("ExtendedRight", $" [{Rights.ResolveRightsGuid(objType, true)} {rule.AccessControlType}]");
                }

                logger.Debug($"{target}:{IR}: ADRights: {adRights} ObjectType: {objType} AccessControlType: {rule.AccessControlType}");

                if (getTemplateACL)//Get ACL for certificate template
                {
                    if (rule.AccessControlType.ToString() == "Allow" && Helper.IsLowPrivSid(sid))
                    {
                        //If a low priv user has certain control over the template
                        if (((rule.ActiveDirectoryRights & ActiveDirectoryRights.GenericAll) == ActiveDirectoryRights.GenericAll) ||
                            ((rule.ActiveDirectoryRights & ActiveDirectoryRights.WriteOwner) == ActiveDirectoryRights.WriteOwner) ||
                            ((rule.ActiveDirectoryRights & ActiveDirectoryRights.WriteDacl) == ActiveDirectoryRights.WriteDacl)
                            //|| rule.ObjectType.ToString() == "0e10c968-78fb-11d2-90d4-00c04f79dc55" //Certificate-Enrollment
                            || ((rule.ActiveDirectoryRights & ActiveDirectoryRights.WriteProperty) == ActiveDirectoryRights.WriteProperty && objType == "00000000-0000-0000-0000-000000000000"))
                        {
                            hasControlRights = true;
                            if (ACEs.ContainsKey(IR))
                            {
                                ACEs[IR].Add(adRights);
                            }
                            else
                            {
                                ACEs.Add(IR, new List <string> {
                                    adRights
                                });
                            }
                        }
                        //If a low priv user can enroll
                        else if ((rule.ActiveDirectoryRights.ToString().Contains("ExtendedRight")) && (objType.ToLower() == "0e10c968-78fb-11d2-90d4-00c04f79dc55" || objType == "00000000-0000-0000-0000-000000000000"))
                        {
                            if (ACEs.ContainsKey(IR))
                            {
                                ACEs[IR].Add(adRights);
                            }
                            else
                            {
                                ACEs.Add(IR, new List <string> {
                                    adRights
                                });
                            }
                        }
                    }
                }
                else//Get ACL for certificate authority
                {
                    string csRights = ((CertificationAuthorityRights)rule.ActiveDirectoryRights).ToString();
                    if (ACEs.ContainsKey(IR))
                    {
                        ACEs[IR].Add(csRights);
                    }
                    else
                    {
                        ACEs.Add(IR, new List <string> {
                            csRights
                        });
                    }
                }
            }

            if (ACEs.Count == 0)
            {
                return(null);
            }

            string owner = Helper.SIDNameSID(ownerSID);

            if (ACEs.ContainsKey(owner))
            {
                ACEs[owner].Add("Owner");
            }
            else
            {
                ACEs.Add(owner, new List <string> {
                    "Owner"
                });
            }

            return(new DACL {
                ObjectName = $"DACL on {target}", ACEs = ACEs
            });
        }
Example #3
0
        //Get DACL on an object
        public static DACL GetACLOnObject(string targetDn)
        {
            logger.Debug($"Collecting ACLs on {targetDn}");

            var   ACEs  = new Dictionary <string, List <string> >();
            Regex gpoRx = new Regex(@"=(\{.+?\}),", RegexOptions.Compiled);

            var rules = GetAuthorizationRules(targetDn, out string ownerSID);

            if (rules == null)
            {
                return(null);
            }

            foreach (ActiveDirectoryAccessRule rule in rules)
            {
                var    sid      = rule.IdentityReference.ToString();
                string IR       = Helper.SIDNameSID(sid);
                string objType  = rule.ObjectType.ToString();
                string adRights = rule.ActiveDirectoryRights.ToString();

                logger.Debug($"{targetDn}:{IR}: ADRights: {adRights} ObjectType: {objType} AccessControlType: {rule.AccessControlType}");

                string userRights = null;

                if (adRights.Contains("ExtendedRight"))
                {
                    //The ObjectType GUID maps to an extended right registered in the current forest schema, then that specific extended right is granted
                    //Reference: https://www.blackhat.com/docs/us-17/wednesday/us-17-Robbins-An-ACE-Up-The-Sleeve-Designing-Active-Directory-DACL-Backdoors-wp.pdf
                    userRights = Rights.ResolveRightsGuid(objType, true) + $" [{rule.AccessControlType}]";
                    userRights = adRights.Replace("ExtendedRight", $"[ExtendedRight: {userRights}]");
                }
                else
                {
                    string schemaName = Rights.ResolveRightsGuid(objType, false);
                    userRights = schemaName + $" ({adRights} [{rule.AccessControlType}])";
                }

                if (ACEs.ContainsKey(IR))
                {
                    ACEs[IR].Add(userRights);
                }
                else
                {
                    ACEs.Add(IR, new List <string> {
                        userRights
                    });
                }
            }
            string owner = Helper.SIDNameSID(ownerSID);

            if (ACEs.ContainsKey(owner))
            {
                ACEs[owner].Add("Owner");
            }
            else
            {
                ACEs.Add(owner, new List <string> {
                    "Owner"
                });
            }

            string key;
            Match  matchGPO = gpoRx.Match(targetDn);

            if (matchGPO.Success)
            {
                string gpoID   = matchGPO.Groups[1].ToString().ToUpper();
                string gpoName = GPO.GroupPolicies[gpoID];
                key = gpoID + " " + gpoName;
            }
            else
            {
                key = targetDn;
            }
            return(new DACL {
                ObjectName = key, ACEs = ACEs
            });
        }